July 15, 2021

Am I Out of Line?

I currently work for a small company as a security analyst. I handle a lot of the IT compliance efforts and am aided by software that helps to alert to compliance needs so it’s pretty easy. I am very technically capable – networking and dev experience.

My position is only in the standard user pool and is not given access to any of our firewall systems, any of our servers from SMTP, to SQL, or Win servers, no IDS tools, nothing outside of Office365, Outlook, and the internet.

Our VP of IT Security is non-technical and for that reason it seems like infrastructure locks us out completely. The only people that have insight into what is REALLY configured for firewalls, what updates we’re on/patches we’ve applied, how our technical security posture looks is members of infrastructure. I just have to take them at their word.

Am I out of line for thinking I should have access to some of that stuff? If I’m signing off on compliance stuff should I not be able to see the EXACT configs? Am I being set up as a fall guy?

Whenever I ask infra for info about 75% of the time they are “too busy,” yet whenever I ask to help them they, “don’t have anything for me.” Like wtf is that? You’re short handed but won’t take a capable individual?

Looking for advice.

Comments

bitslammer

You are 100% correct in your thinking. While you don’t need access to change things like the firewall config you should have read access, or at the very leat they need to furnish you with a current copy of the config.

This would never fly in a mature shop or one that deals with a lot of regulatory/compliance issues. There’s no separation of duties as the infrastructure people are essentially auditing themselves.

I would defintiley never “sign off” on anything in this situation.

OldZoomie2020

There’s no reason they can’t export the network infrastructure configs to a separate system.

There’s plenty of open source tools that would give you access to the configs for audit without actually touching the systems themselves.

When I did audits for multi nationals, it was nearly routine to find private (and, undocumented) GRE tunnels from some guys basement, supposedly long-since deprovisioned routers and switches that still had active ports that were open and accessible from the internet.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.